File openssl-1.1.1-fips_list_ciphers.patch of Package openssl-1_1.20905

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-1.1.1-fips_list_ciphers.patch of Package openssl-1_1.20905

diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index d6cbc27..ebb1948 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -14,11 +14,13 @@
 #include <openssl/pkcs12.h>
 #include <openssl/objects.h>
 
+extern int init_will_enter_fips_mode;
+
 void openssl_add_all_ciphers_int(void)
 {
 
 #ifdef OPENSSL_FIPS
-    if (!FIPS_mode()) {
+    if (init_will_enter_fips_mode == 0) {
 #endif
 #ifndef OPENSSL_NO_DES
     EVP_add_cipher(EVP_des_cfb());
diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c
index 9d88bd2..5ee51a1 100644
--- a/crypto/fips/fips.c
+++ b/crypto/fips/fips.c
@@ -73,6 +73,9 @@
 #  define PATH_MAX 1024
 # endif
 
+/* Not static because it will be accessed outside this file. */
+int init_will_enter_fips_mode = 0;
+
 static int fips_selftest_fail = 0;
 static int fips_mode = 0;
 static int fips_started = 0;
diff --git a/crypto/o_init.c b/crypto/o_init.c
index 4118938..72a7eea 100644
--- a/crypto/o_init.c
+++ b/crypto/o_init.c
@@ -24,21 +24,30 @@
 
 # define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
 
+extern int init_will_enter_fips_mode;
+
 static void init_fips_mode(void)
 {
     char buf[2] = "0";
     int fd;
 
-    /* Ensure the selftests always run */
-    /* XXX: TO SOLVE - premature initialization due to selftests */
-    FIPS_mode_set(1);
-
     if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
         buf[0] = '1';
     } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
         while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
         close(fd);
     }
+
+    /* Even though we hacked this so that we do the FIPS tests when we */
+    /* are not going to be in FIPS mode, some elements need to know if we */
+    /* are TRULY going to be in FIPS mode. */
+    if (buf[0] == '1')
+        init_will_enter_fips_mode = 1;
+
+    /* Ensure the selftests always run */
+    /* XXX: TO SOLVE - premature initialization due to selftests */
+    FIPS_mode_set(1);
+
     /* Failure reading the fips mode switch file means just not
      * switching into FIPS mode. We would break too many things
      * otherwise..

Places

File openssl-1.1.1-fips_list_ciphers.patch of Package openssl-1_1.20905

Places